This post goes over the different ways to join a client to the SBS 2008 network and differences.

HTTP://Connect

This method replaces the http://server/connectcomputer method. http://connect is a simpler url to remember, you don’t need to know or remember the server name. The goal of the web page is to do some pre requirements checking and guide the user through the experience before the Connect Computer program start. If we can detect the OS and browser version, specific instructions to that configuration are shown are shown on the web page to guide the user through the series of prompts they will see before the Connect Computer program starts. If we can’t detect that, a general set of instructions are presented.

Once you select “Start Connect Computer Program”, the wizard will start.

Note: see KB957708 if you the client machine can’t get to http://connect.

Portable Media

The second method involves creating portable media. Via the SBS 2008 Console, you can copy the Connect Computer launcher to portable media like a USB key. Then you can walk to each machine, plug in the USB key, and start the program (launcher.exe) that will download and start the Connect Computer wizard.

The wizard to do this is called “Connect Computers to your network” on the Getting Started Tasks and on the Network.Computers page. The wizard is a quick wizard. After the first page, you will need to select “Copy the program to portable media”.

Then, select the location to put the program.

Followed by the confirmation and the instructions how to run the program.

What is different between http://connect and the portable media method? They both launch the Connect Computer wizard (to be covered in a forthcoming post). However, if you can’t get to http://connect due to networking issues (lets say you are still getting DNS info via the router), you will get page not found. Running launcher locally, if it can’t get to the server, it will do a repair network. This will include doing an ipconfig release and renew. At this point, the client machine should get an IP from the SBS server, and able to get to the package to download the connect computer wizard.

Native domain join

You can always still natively domain join computers. The Connect Computer program only supports XP SP2 and above, Vista. So for older OS’s or server SKU’s, you will have to natively join them to the domain.

Thursday, October 30, 2008

If you haven’t seen what Mesh can do, then you haven’t moved into Web 2.0 yet. Granted it’s still in Beta, but it’s very very cool. Being able to sync your files with the cloud and desktops has simplified my life greatly. In addition to access to your files from any connected device, you can remotely connect to any PC, regardless of firewall configuration! What will make it even cooler is when it can combine with Windows Home server via an add-in.

Looks like they announced some of that at PDC this week. Details on the HomeServer Blog.

This document provides an overview of the use of virtualization in a Windows® Small Business Server 2008 (Windows SBS 2008) environment, and discusses scenarios in which Windows SBS 2008 supports the Hyper-V technology.

Wednesday, October 29, 2008

A previous post introduced and explained how Autodiscover works in SBS 2008. Today I want to dive a little deeper into the gotchas to be weary of when using self-issued certificates, and talk about what you need to do with Windows Mobile to make this work as well

Self-Issued Certificates

First of all, make sure you understand the self-issued certificate, and how that differs from a Trusted certificate for web traffic. If you can swing it, with today’s SSL prices for a simple SSL cert, it’s far worth the money to get a trusted certificate than fight with your free self-issued certificate.

If you must use the Self-Issued certificate, any domain joined client computers or laptops will automatically get the self-issued certificate through Group Policy. Any remote or non-domain joined computers will not get the certificate automatically, and you will need to manually install the root certificate on these computers. SBS 2008 provides a great tool to do this automatically (This tool is not designed for the iPhone).

To make sure Outlook Anywhere, or Autodiscover function correctly, you must install the self-issued root certificate on the client, or install a trusted certificate on the server in order for you to successfully configure Outlook Anywhere using the Autodiscover feature.

Windows Mobile

Windows mobile falls into much the same pitfalls as Outlook with a self-issued certificate. Remember, the certificate is used to verify the identity of the server to the client computer or mobile device, much like your driver’s license validates you are who you say you are when getting on a plane. If your server is configured to use a self-issued certificate, the device will refuse to talk to the server, because the SSL chain is not trusted.

To recap here:

Purchase and Install a Trusted Certificate on the server before setting up Outlook Anywhere, or any Windows Mobile/iPhone type devices, OR

Install the self-issued root certificate on remote clients, or Windows Mobile devices before you continue with connecting the PC or Device to the server

Monday, October 27, 2008

The Autodiscover service is new feature of Exchange 2007 and Outlook 2007. The goal of the new Autodiscover service is to reduce the time spent configuring clients. Autodiscover aids in profile creation and passing the URL’s back to the client for the Offline Address Book (OAB), free/busy, and Out of Office settings. You will see a number of new virtual Directories (vdir’s for short) in IIS, including Autodiscover, OAB, EWS.

Note: During SBS setup, all Exchange vdir’s are “moved” form the “Default Web Site” to the “SBS Web Applications” site.

Outlook Anywhere used to be known as RPC over HTTP in the SBS 2003 timeframe. It has been renamed, but in general, it is the same. It allows an Outlook client to communicate to the Exchange Server over HTTPS. No special ports need to be opened up, just the standard 443. Exchange builds upon the Windows 2008 feature “RPC over HTTP Proxy”. It works with both Outlook 2003 and Outlook 2007. Outlook Anywhere is automatically configured when you run the Internet Address Management wizard.

With Outlook 20007 and Exchange 2007 in SBS 2008, profile creation and ongoing maintenance is greatly simplified thanks to Autodiscover. Setting up Outlook Anywhere is automatic as well.

On domain joined machines, when a user starts Outlook 2007 for the first time, they no longer have to specify any information if their computer is joined to the domain. Outlook 2007 will start, gather the information automatically, log the user on to their mailbox, and begin retrieving information from your Exchange deployment.

On remote/non domain joined machines, you will have to do a few extra steps, but a lot less than the manual configurations with Outlook 2003 for RPC/HTTP. Basically, you will need your email address and password and you are ready to go. First, fill in the info below:

Both of those will fail in the default SBS case as the info is actually at https://remote.contoso.com/autodiscover. With Outlook 2007 SP1 and above, outlook adds a third check. It checks a SRV record, or service. When you run the Internet Address Management wizard with a partner, this SRV record is automatically set. It looks like:

_autodiscover._tcp IN SRV 0 0 443 remote.contoso.com

Outlook will pop up the following informational popup:

After selecting allow, Outlook will receive the XML information from the SBS/Exchange server, and automatically create your profile including your Outlook Anywhere settings.

What about Outlook 2003?

Outlook 2003 story is similar to SBS 2003. For domain joined machines, we push a PRF file down to aid in first time profile creation to the Exchange server. Outlook Anywhere must be configured manually for domain joined machines (i.e. laptops) and non domain joined remote machines. Instructions are on Remote Web Workplace.

Thursday, October 23, 2008

SBS 2008 treats folder redirection on a per user basis, instead of a per network basis like 2003 did. What this means is that out of the box, the folder redirection policy applies to an empty security group (Windows SBS Folder Redirection Accounts). This means that any user added to this group will get their folders redirected to the server for data protection purposes.

You can either add users directly to the security group, or use the handy UI on the Users’ Tab called Redirect folders for user accounts to the server.

By simply clicking on the User Accounts folder, you can choose which users have their folders redirected. Additionally, as you can see above, you can choose what you want redirected. We do not redirect the Start Menu by default, because if a client moves to a new PC, and that new PC doesn’t have the applications installed, the start menu is full of unknown icons. Ugly!

Wednesday, October 22, 2008

When running the Configure E-Mail and Internet Connection wizard in SBS 2003, you had the option to run DHCP services on the SBS server, or leave it on the router within the network. There was no guidance one way or another, it was a choice you had to make to complete the wizard.

With SBS 2008, we provide guidance.

The guidance is that you should run DHCP on the server. Why?

Microsoft builds, and has been building a really high quality DHCP server built into Windows Server since Windows NT 4. Why not get one of the highest quality DHCP servers on the market for your network?

The SBS team can ensure your DHCP server is set up correctly on SBS, making sure there are no duplicate IP addresses, and that the exclusion range is set up correctly for the server’s IP address

If you feel comfortable in the DHCP management UI, you can set up reservations to make sure the same clients get the same IP address. This is handy for printers, or other things on your network that may act like servers, but you don’t want to manage the static IP address

If you’re logging in remotely, you can see which clients are online by which ones have IP addresses in the DHCP management console. You can also see the clients IP address right in the console, so it makes it easy to find clients on the network, especially if you are remote.

DHCP uses limited resources and has essentially no impact on the server’s performance

If the above 5 reasons aren’t good enough for you, and you absolutely must run the DHCP service on the router, here is how you do it.

Close the Windows SBS Console, and cancel the Connect to the Internet Wizard if it’s running

Click Start and go to All Programs and expand Windows Small Business Server

At this point, the DHCP services will be forced to start. Since you have another DHCP server running on the network, the DHCP service will stop itself, and log an event in the Event Log about how it can’t start because there is another non-authorized DHCP server on the network. This is ok.

Immediately click the same button, this time called Disable DHCP ( ).

Now the networking components of the server will ignore the fact that the DHCP service is not running, keep it disabled, and let you proceed with the Connect to the Internet Wizard without having to disable the DHCP services.

IMPORTANT: Please do not call Microsoft support with an incorrectly configured LAN DNS. Make sure you make the SBS’s Internal IP address the primary DNS in your 3rd party DHCP server configuration.

Finally, the server is still going to alert you that DHCP services aren’t running, so to fix this:

Flip on over to the Computers sub-tab on the Network tab.

On the right, click on View Notification Settings.

Uncheck the DHCP Server notification, and click OK.

Now DHCP services is no longer running on the server, and SBS will be fine with that. As a final note, please only do this if you have no other way around it, and if you’re familiar with your router UI to set it up correctly. If not, just disable DHCP on your router, and we’ll take care of the rest!

Tuesday, October 21, 2008

In the previous version of SBS, the Configure E-Mail and Internet Connection Wizard (CEICW) could be run again and again and again ... and again. If you had an issue with networking, you’d run the wizard as many times as you wanted to reset to the known SBS defaults. With 2008, we provided a wizard for exactly this case, called “Fix My Network” wizard.

The wizard is designed to detect known problems on your network, and then give you the option to fix them or not. There are roughly 70-80 different checks and fixes that it does. Some important things to note:

The fixes may have dependencies. For example, if the wizard detects that the DHCP services are stopped, it will report that, but won’t be able to check the configuration inside the DHCP service, because it’s stopped. So, it’s important to run this wizard a few times, until you’re happy with the issues it’s finding/not finding.

If you replace your router on your network, or change your router IP address, you should consider running the Connect to the Internet Wizard first.

The wizard is designed to bring the network back to a “known good” working state. So any custom configuration will be un-done.

Now that you know how to use the wizard, what exactly are the things we keep an eye on? Well, to know exactly, you will have had to work on the wizard, but here is the high level.

Network Cards

Disabled Network Cards

Additional Network Cards

Duplicate IP, Missing IP, Extra IP addresses

Incorrect DNS, Gateway and subnet settings

NIC unplugged from the network

DHCP Configuration

DHCP Enabled and running

DHCP scope settings

DHCP IPv4 and IPv6 settings

Local DNS Configuration

Missing Zones

Invalid Names and domains

Missing records

Reverse Zones invalid or missing

Internet DNS (if with a domain name partner)

Missing Records

Missing or incorrect credentials

Domain configured and in good standing with provider

Dynamic DNS client is configured correctly (if running)

SSL Certificate Configuration

Invalid Root and Leaf Certificates

Invalid Certificate installation package

Certificate installed on IIS

Self-Issued certificates expiring or invalid

Certificate authority is installed and running

Trusted Certificate installed and valid

Router Configuration

Gateway can be reached

Internet can be reached

UPnP (if available) port mappings

VPN (if enabled)

Firewall configuration

RRAS service enabled and running

VPN default Policy is in place

E-Mail Configuration

SMTP connectors configured correctly

IIS Configuration

IIS is enabled and running

Host headers are configured correctly

A Common Question

Question: Does SBS support NIC Teaming?

Answer: The core OS supports it, but not the SBS wizards, it’s recommended you configure your network with a single network card, and then set up the team afterwards. Microsoft Support mentions they may ask you to disable the team for any troubleshooting.

Monday, October 20, 2008

Today marks the day when SBS 2008 starts shipping localized versions. SBS plans to release in 18 different languages, the second 4 countries that will be available are: Spanish, Dutch, French, and Polish. They have released today and will be available as soon as possible. I’d suspect anywhere from 1-5 months after the English version is available. We can’t control the fill of the channels.

Friday, October 17, 2008

By default, when the console opens when you log in, the Console is in normal mode, not advanced mode. But there are extra buttons and gadgets in the advanced console for you to play with. Simply close the console, and open the Advanced console:

I bet your wondering what the differences are. Well, they are very subtle:

Thursday, October 16, 2008

Due to the overwhelming number of downloads for the SBS 2003 Best Practice Analyzer, the product team, and support team has worked extra hard to get the 2008 Best Practice Analyzer out before the general availability of the product on November 12th.

Exchange Server 2007, bundled with Forefront Security for Exchange that both come with SBS 2008, you get a lot of protection on your e-mail. But how does it actually work? Let’s break it down.

With Exchange 2007 only

If you only have Exchange 2007, without Forefront Security for Exchange (FSE), then with SBS 2008, you get the Exchange Standard CAL. This CAL entitles you to content filter updates that are published every two weeks via Microsoft Update. You can reference this TechNet article for more information on this.

With Exchange 2007 and Forefront Security for Exchange

If you chose to install Forefront Security for Exchange during SBS setup, you are entitled to more regular updates (You can also do this with an Exchange Enterprise CAL, this is not included with SBS).

When checking multiple times a day, you get the IP Repudiation Service Data (an IP Block list that is offered exclusively to Exchange 2007 customers), spam signature data, as well as the content filter updates.

Note on un-installing: If you choose to un-install FSE after the trial, you are no longer entitled to updates more than every two weeks. You will have to do this manually.

SBS Specific Information

If you install FSE during SBS setup, then you get the anti-spam updates multiple times a day. However, FSE asks Microsoft Update, which on your machine is WSUS (if you left it installed). WSUS only asks the actual Microsoft Update, once/day. So you are still ahead of the two week standard server, but you aren’t at your multiple-times-per-day, so you may want to consider changing your schedule, if this is important to you.

Data Usage Note: If you pay for bandwidth, it’s important to not that each signature download is roughly 6MB, and with this happening multiple times a day, you could be using more data than your used to. On the second paragraph of this TechNet article, it talks about how it checks for signatures multiple times per hour. Make sure to adjust the schedule to meet your needs (and in some places, budget):

Wednesday, October 15, 2008

It’s true, you get 60 days to trial SBS. All of SBS, that’s a lot of things to test out in 60 days. Well, you are in luck! With a simple command line you can extend the 60 day trial, another 180 days for a total of 240 days. It’s super easy.

First you need an elevated command prompt. Once you have one of those open, simply run the command line slmgr.vbs –dli. This command takes a few minutes to run, and pop’s up a screen to tell you how long you have left in your evaluation period.

To extend the evaluation period, you can add the extra 180 days from the same elevated command prompt type in the command slmgr.vbs –rearm.

But I must warn you, once you get past day 80, studies have shown that SBS is so addictive, that it will most likely be a major part of your network, and you’ll be committed. So choose wisely if you plan to extend the evaluation period, you could end up buying it!

Tuesday, October 14, 2008

Today marks the day when SBS 2008 starts shipping localized versions. SBS plans to release in 18 different languages, the first 4 countries that will be available are: Brazil, German, Italy, and Turkey. They have released today and will be available as soon as possible. I’d suspect anywhere from 1-5 months after the English version is available. We can’t control the fill of the channels.

November 12th is creeping up faster than you are probably thinking about it. The Launch will be a virtual launch, hosted at The Dream Server Launch website. I will be participating in the launch event, along with a few of my SBS and EBS buddies. Be there or Be Square!

Also, secure your position as trusted advisor by implementing Windows Essential Server Solutions to help your customers reduce costs and increase productivity by streamlining their IT infrastructure. Generate leads by inviting your customers and prospects to the Windows Essential Server Solutions special launch webcast using guidance and an invitation email template.

A long time ago, in a version far far away, I blogged how to have Exchange 2003, on SBS 2003 answer for multiple domain names in this blog post (along with 3 other parts for across SBS 2003). For all 4 of blog posts, the idea is still the same, except the steps and UI may have changed. Since I’ve already we’ve already seen people asking how to have Exchange host multiple domains with SBS 2008, I thought I’d blog it. Adam beat me to building and testing the steps, so this post comes from him!

Click Start and point to All Programs and click on Microsoft Exchange Server 2007 and then launch the Exchange Management Console.

Expand Organization Configuration and select Hub Transport.

On the right, under Actions, click on New Accepted Domain …, and wait for the wizard to pop-up

In the Name field, enter a friendly name, like Contoso Email

Accepted Domain field, enter the domain name you’d want to appear after the “@” in the email, e.g.. contoso.com.

Finally, leave setting set to Authoritative Domain.

Click New to create the new domain name, and then Finish once it’s done processing.

On the right, under Actions, now click on New E-Mail Address Policy …, and wait for the wizard to pop-up

Enter a friendly name, like Contoso Email Policy, leave the default as All recipient types, and click Next.

Ensure no extra conditions are applied and click Next.

Click Add… to add a new E-mail address format

Ensure E-mail address local part is checked, and use alias is selected.

Specify a custom fully qualified domain name (FQDN) for e-mail address should read the same as the domain name you’re adding from above. Here is a screenshot:

Note: double check the use alias, as it could change by specifying a FQDN, then click OK.

On the Schedule page, ensure Immediately is selected and click Next.

Click New to execute the policy, and then Finish once it’s applied.

Important: Any new domain you set up becomes primary (what users send-as), so you’ll have to use the steps below to update which one should be primary.

At this point, provided your Internet DNS MX addresses for both domain names are pointed to the WAN IP of the SBS network (typically the WAN IP of the router, or ISA firewall), you will now receive email for both domain names. By default, the new domain you added will be the primary domain name, and the domain everyone sends as.

One important thing to note is that the SBS console will only show the primary domain name in the console. If you want to switch which domain is primary, you can do that too:

Open up the Exchange Management Console again and expand Organization Configuration, and select Hub Transport.

Right-click on the policy for the address you want to be primary, and click on Change Priority, and change it to “1” (without the quotes), and click OK. Exchange will adjust the priorities on the other policies automatically.

One final thing to note, is that if you’re primary domain name is automatically managed by a domain name provider, we will only keep the primary domain IP address up to date with the domain name provider. So if you are on a Dynamic IP, and rely on the Dynamic DNS client included with SBS 2008, you may want to consider some DNS configuration that keys off the “A Record” of the primary domain name, as that’s the only one we adjust.

Thursday, October 09, 2008

Just picked me up a Samsung Jack, I love it. It’s responsive, it’s got the full tactile keyboard (touch screen wasn’t doing it for me), and it’s been flashed to Windows Mobile 6.1 from the Samsung Support Website (Simply search for “Windows Mobile 6.1” and you should find it).

The only drawback of the phone was how slow the “wheel” scrolls. This is configurable in the Registry. Simply browse to HKLM / Software / Samsung / KeyRun. Push the Values button, and look for WheelSpeed. Change the value to 0, and close the registry editor, no reboot required.